Labs June 13, 2018

BadRabbit ransomware attack

The Obrela LABS Team

A new ransomware campaign by the name BadRabbit has targeted Russia, Turkey, Ukraine, Bulgaria, Japan and other countries.

The Security Operations Center of Obrela Security Industries want to keep our customers continuously updated of the attack and provide threats mitigation and prevention guidance. SOC has increased its readiness and verbosity over anomalies in SMB traffic, communication to list of suspicious IP addresses and domains, and more.

What is it about?

The ransomware infection is originally initiated by visiting compromised websites.

As such, (a) it requires user interaction asking the user to visit the compromised web site, (b) then it is redirected to 1dnscontrol[.]com, (c) in order to download a fake Flash update (install_flash_player.exe).

This executable file (630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da) is the dropper for the malware that infects the target Workstation (the actual malware).

The resulting malware can propagate via SMB, having many similarities to the Petya/Nyetya attack.

It also utilizes a version of mimikatz security tool in order to steal credentials and use them to propagate to other hosts (sim. Nyetya).

Once a windows computer is infected, it reboots the computer, encrypts the hard drive’s master file table (MFT) and replaces the computer’s MBR with its own malicious code to show the ransomware note upon reboot. The encryption of the files is performed by DiskCryptor to do a full drive encryption. Keys are generated and protected by RSA 2048 public key.

What is the impact of this attack?

As result of this attack, the computer is locked and shows a random note asking victims to pay a bitcoin amount to allow getting control back of their systems.

What our customers should do as part of mitigation and prevention actions

  • Utilize this signatures in EDR tools or Event Management tools to identify infection using specific hashes:

630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da (Dropper)

8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93 C:\Windows\dispci.exe (diskcryptor client)

682ADCB55FE4649F7B22505A54A9DBC454B4090FC2BB84AF7DB5B0908F3B7806 C:\Windows\cscc.dat (x32 diskcryptor drv)

0b2f863f4119dc88a22cc97c0a136c88a0127cb026751303b045f7322a8972f6 C:\Windows\cscc.dat (x64 diskcryptor drv)

579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648 C:\Windows\infpub.dat

2f8c54f9fa8e47596a3beff0031f85360e56840c77f71c6a573ace6f46412035 (mimikatz-like x86)

301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c (mimikat-like x64)

  • Identify scheduled tasks that are noticed to be created in Windows hosts:

viserion_

rhaegal

drogon

  • Block specific domains / uris in perimeter proxies

1dnscontrol[.]com

/flash_install.php

185.149.120[.]3

Argumentiru[.]com

Fontanka[.]ru

Adblibri[.]ro

Spbvoditel[.]ru

Grupovo[.]bg

www.sinematurk[.]com

caforssztxqzf2nm[.]onion

  • Ensure all Windows-based systems are patched with the latest security updates.
  • Close all public facing SMB (ports TCP 139, 445)
  • Ensure blocking any connections to TOR nodes and TOR -related traffic on network.
  • Ensure that anti-malware software is running on all endpoints in the organization and ensure that the software regularly receives malware signature updates.
  • Users are strongly encouraged to back up frequently their data to be able to restore them in case their devices have been infected with the malware.
  • Users are strongly advised that do not open emails that contain links or attachments from unknown recipients or when the subject or content of the email is unusual to them.